Operator lifting in cryptographic algorithm

ABSTRACT

A system for performing an operation on data using obfuscated representations of the data is disclosed. Obtaining means are configured to obtain a first obfuscated representation of a first data value and obtain a second obfuscated representation of a second data value. A determining means  102  is configured to determine an obfuscated representation of a third data value, by performing the corresponding operations on the obfuscated representation of the first data value and the obfuscated representation of the second data value. Obfuscating means  101  may be configured to generate the first obfuscated representation based on the first data value and generate the second obfuscated representation based on the second data value. De-obfuscating means  103  may be configured to de-obfuscate the obfuscated representation of the third data value in order to obtain the third data value using a system of equations.

FIELD OF THE INVENTION

The invention relates to performing an operation using obfuscatedrepresentations of the operands.

BACKGROUND OF THE INVENTION

Nowadays, enormous amounts of data are transferred via networks, mobilephones, Bluetooth devices, bank automatic teller machines, and the like.In order to protect information from undesired accesses, encryption isvery often used. In cryptographic, encryption is the process of encodinga message in such a way that third parts cannot read it, only authorizedparts can. In an encryption scheme, the message, referred to asplaintext, is encrypted using an encryption algorithm, turning it intoan unreadable ciphertext. This is usually done with the use of anencryption key, which specifies how the message is to be encoded. Anyadversary that can see the ciphertext, should not be able to determineanything about the original message. An authorized party, however, isable to decode the ciphertext using a decryption algorithm, that usuallyrequires a secret decryption key, that adversaries do not have accessto.

Encryption can be applied also to protect stored data, such as files incomputers and storage devices.

In cloud computing, distributed computing over a network is performed,usually involving a large number of computers connected over a real timenetwork. The data involve in those computations need to be protected, asit is stored in a network wherein third parts can get easy access.

In “Computing Arbitrary Functions of Encrypted Data” by Craig Gentry,Communications of the ACM, Vol. 53, No 3, Pages 97-105, March 2010, anencryption scheme keeping data private but allowing to performoperations, is disclosed. However, this encrypted scheme iscomputationally expensive.

Castelluccia C et al.; “Efficient Aggregation Of Encrypted Data InWireless Sensor Networks”, Mobile and Ubiquitous Systems: Networking andServices, 2005. MOBIQUIT OUS 2005, 17 Jul. 2005, pages 109-117,XP010853989, ISBN: 978-0-7695-2375-0 discloses an additively homomorphicstream cipher.

WO 2006/058561 A1 discloses a cryptography function implemented on aSIM. A random mask is used to mask input data to the cryptographicfunction to be performed. In particular, the masking function isadvantageously a group operation.

SUMMARY OF THE INVENTION

It would be advantageous to have a system that allows for performing anoperation using encrypted representations of data values. To betteraddress this concern, a first aspect of the invention provides a systemfor performing an operation over data using obfuscated representationsof the data, comprising:

obtaining means configured to obtain a first obfuscated representation(X₀,Y₀) of a first data value w₀ and obtain a second obfuscatedrepresentation (X₁,Y₁) of a second data value w₁, wherein the followingrelations hold:

X ₀ =A ₀(w ₀)⊕B ₀(σ₀)

Y ₀ =A ₁(w ₀)⊕B ₁(σ₀)

X ₁ =A ₀(w ₁)⊕B ₀(σ₁)

Y ₁ =A ₁(w ₁)⊕B ₁(σ₁)

wherein

⊕ is an operator,

A₀, B₀, A₁, and B₁ are linear operators, and an operator E that maps(u,v) to ((u)⊕B₀ (v), A₁(u)⊕B₁(v)) is invertible with respect to u, and

σ₀ and σ₁ are state variables for providing redundancy to the obfuscatedrepresentations; and

determining means configured to determine an obfuscated representation(X₂, Y₂) of a third data value w₂, wherein w₂=w₀

w₁, wherein

is an operator, by performing the following operations on the obfuscatedrepresentation (X₀,Y₀) of the first data value w₀ and the obfuscatedrepresentation (X₁,Y₁) of the second data value w₁:

X ₂ =X ₀ ⊕X ₁

Y ₂ =Y ₀ ⊕Y ₁.

This system has the advantage that an operation

between two input data values w₀ and w₁ can be performed using theobfuscated representation (X₀,Y₀) of the input data value w₀ and theobfuscated representation (X₁,Y₁) of the input data value w₁ withoutneeding to decode the obfuscated representations. Moreover, thecomputational complexity of the operation is similar to thecomputational complexity of the operation ⊕. Consequently, the operationmay be performed efficiently. Therefore, it is not necessary tode-obfuscate the obfuscated representations of w₀ and w₁ for performingan operation between them, improving in this way the security of thesystem without adding too much complexity.

For example, there may be domains W, Σ and Z defined such that X₀,Y₀,X₁, and Y₁ are elements of Z; w₀ and w₁ are elements of W, and σ₀ and σ₁are elements of Σ, and A₀:W×W→Z, A₁:W×W→Z, B₀:Σ×Σ→Z, B₁:Σ×Σ. Operator ⊕may be defined on Z, operator

may be defined on W, and an operator Δ may be defined on Σ. Theoperation ⊕ is commutative (that is, z₁⊕z₂=z₂⊕z₁ for all z₁, z₂εΣ) andassociative, that is, (z₁⊕z₂)⊕z₃=z₁⊕(z₂⊕z₃) for all z₁, z₂, z₃εΣ. Themappings A₀, A₁ from W to Z may be such that for all w₀, w₁εW and i=0,1, A_(i)(w₀

w₁)=A_(i)(w₀)⊕A_(i) (w₁). This may be expressed by saying that A₀ and A₁are linear. The mappings B₀, B₁ from Σ to Z may be such that for all σ₀,σ₁εΣ and i=0, 1, B_(i)(σ₀Δσ₁)=B_(i)(σ₀)⊕B_(i)(σ₁). We will express thisby saying that B₀ and B₁ are linear. Moreover, A₀, B₀, A₁, and B₁ areselected such that it is possible to uniquely determine wεW from thecombination of A₀(w)⊕B₀(σ) and A₁(w)⊕B₁(σ). That is, if w, w′εW andσ,σ′εΣ are such that A_(i)(w)⊕B_(i)(σ)=A_(i)(w′)⊕B_(i)(σ′) for i=1, 2,then w=w′.

The system may further comprise obfuscating means configured to generatethe first obfuscated representation (X₀,Y₀) based on the first datavalue w₀ and the second obfuscated representation (X₁,Y₁) based on thesecond data value w₁.

The system may further comprise de-obfuscating means configured tode-obfuscate the obfuscated representation (X₂, Y₂) of the third datavalue w₂ in order to obtain the third data value w₂ by from the systemof equations:

X ₂ =A ₀(w ₂)⊕B ₀(σ₂)

Y ₂ =A ₁(w ₂)⊕B ₁(σ₂),

wherein

σ₂ is a state variable for providing redundancy to the obfuscatedrepresentation (X₂, Y₂) of the third data value w₂.

The system may further comprise a state generator for generating a valueof the state variable σ₀ and/or a value of the state variable σ₁randomly or pseudo-randomly, and wherein the obfuscating means isconfigured to generate the first obfuscated representation (X₀,Y₀) basedon the first data value w₀ and the state variable σ₀, and to generatethe second obfuscated representation (X₁,Y₁) based on the second datavalue w₁ and the state variable σ₁. This allows to create strongobfuscation by controlling the added redundancy imposed by the statevariables σ₀ and/or σ₁.

The obfuscating means may be configured to look up the first obfuscatedrepresentation (X₀,Y₀) and the second obfuscated representation (X₁,Y₁)in a look-up table. Additionally or alternatively, the de-obfuscatingmeans may be configured to look up the third data value w₂ in a look-uptable. This is an efficient way of implementing the obfuscation. Theimplementation with look-up tables also makes it more difficult to breakthe obfuscation by an attacker.

The obfuscating means and the de-obfuscating means may be part of afirst device, wherein the determining means are part of a second,different, device. The first device may further comprise a transmittingmeans and a receiving means, and the second device may further comprisea transmitting means and a receiving means. The transmitting means ofthe first device may be configured to transmit the first obfuscatedrepresentation (X₀,Y₀) and the second obfuscated representation (X₁,Y₁)to the receiving means of the second device. The transmitting means ofthe second device may be configured to transmit the obfuscatedrepresentation (X₂, Y₂) to the receiving means of the first device. Thisconfiguration allows delegation of the

operation to the second device, without giving the second device accessto the unobfuscated (or cleartext) data values w₀, w₁, and w₂.

The determining means may be configured to perform at least one of thecomputation of X₂ from X₀ and X₁ and the computation of Y₂ from Y₀ andY₁ in the clear. This allows efficient computation of X₂ and Y₂, withoutneeding to obfuscate the computation by itself, but still not revealingthe original data values to an attacker.

The values of w₀, w₁, w₂, σ₀, σ₁, σ₂, X₀, X₁, X₂, Y₀, Y₁, and Y₂ may bevalues having a same number of bits. This facilitates theimplementation.

The operators A₀, B₀, A₁, and B₁ may be invertible operators. This makesit easier to design the system parameters.

The operator ⊕ may be a bitwise XOR operation. This is a particularlysuitable operation for this application. The bitwise XOR operation maybe performed by means of at least one XOR machine instruction. This isan efficient way of computing the XOR operation, and does not reveal theoriginal data values to an attacker.

In another aspect of the invention, a method for performing an operationon data using obfuscated representations of the data is provided. Themethod comprising the steps of:

obtaining a first obfuscated representation (X₀,Y₀) of a first datavalue w₀ and obtaining a second obfuscated representation (X₁,Y₁) of asecond data value w₁, wherein the following relations hold:

X ₀ =A ₀(w ₀)⊕B ₀(σ₀)

Y ₀ =A ₁(w ₀)⊕B ₁(σ₀)

X ₁ =A ₀(w ₁)⊕B ₀(σ₁)

Y ₁ =A ₁(w ₁)⊕B ₁(σ₁),

wherein

⊕ is an operator,

A₀, B₀, A₁, and B₁ are linear operators, and an operators E that maps(u,v) to (A₀(u)⊕B₀ (v), A₁(u)⊕B₁(v)) is invertible with respect to u,and

σ₀ and σ₁ are state variables for providing redundancy to the obfuscatedrepresentations; and

determining an obfuscated representation (X₂, Y₂) of a third data w₂,wherein w₂=w₀

w_(l), wherein

is an operator, by performing the following operations on the obfuscatedrepresentation (X₀,Y₀) of the first data value w₀ and the obfuscatedrepresentation (X₁,Y₁) of the second data value w₁:

X ₂ =X ₀ ⊕X ₁

Y ₂ =Y ₀ ⊕Y ₁.

In another aspect, a computer program product is provided that comprisesinstructions for causing a processor system to perform the method setforth.

It will be appreciated by those skilled in the art that two or more ofthe above-mentioned embodiments, implementations, and/or aspects of theinvention may be combined in any way deemed useful.

Modifications and variations of the image acquisition apparatus, theworkstation, the system, the method, and/or the computer programproduct, which correspond to the described modifications and variationsof the system, can be carried out by a person skilled in the art on thebasis of the present description.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other aspects of the invention are apparent from and will beelucidated with reference to the embodiments described hereinafter. Inthe drawings,

FIG. 1 is a block diagram of a system for securely performing anoperation using obfuscated representations of the input data values.

FIG. 2 is a diagram illustrating a method of security performing anoperation using obfuscated representations of the input data values.

FIG. 3 is a diagram illustrating a method of de-obfuscating a data aftersecurity performing an operation using obfuscated representations of theinput data values.

DETAILED DESCRIPTION OF EMBODIMENTS

In many applications, it is necessary to apply in a secure way anoperation to a first input data value w₀ and a second input data valuew₁, wherein a first obfuscated representation Z₀ of the first input datavalue w₀ and a second obfuscated representation Z₁ of the second inputdata value w₁ are available. It would be desirable to hide the firstinput data value w₀ and the second input data value w₁ from a malicioususer, even if the malicious user has full access to the device,including access to the working memory, or even if the malicious userhas capability to use debugging tools to analyze the application.

Therefore, instead of computing the values w₀ and w₁ and performing theoperation, the operation may be performed using the first obfuscatedrepresentation Z₀ of the first input data value w₀ and the secondobfuscated representation Z₁ of the second input data value w₁.

It is noted that that Z₀ and Z₁ may be divided into two components, sothat Z₀=(X₀,Y₀), and Z₁=(X₁,Y₁).

FIG. 1 illustrates an embodiment of a system for performing a secureoperation. In the illustrations, several processing means have beendenoted by rectangles.

Moreover, data elements have been indicated by their variable symbol anda sketched array symbolizing a bit sequence of a given length. However,the actual length of the bit sequence of each data element may bevaried. The drawings do not indicate the actual length of the dataelements. The system may be implemented on a single processing device,such as a properly programmed computer, a smartphone, or a smartcard.The system may also be distributed over several different processingdevices.

The system comprises an obtaining means for obtaining a first obfuscatedrepresentation (X₀,Y₀) of the first input data value w₀ and a secondobfuscated representation (X₁,Y₁) of the second input data value w₁wherein the following equations hold:

X ₀ =A ₀(w ₀)⊕B ₀(σ₀)

Y ₀ =A ₁(w ₀)⊕B ₁(σ₀)

X ₁ =A ₀(w ₁)⊕B ₀(σ₁)

Y ₁ =A ₁(w ₁)⊕B ₁(σ₁),

wherein ⊕ is an operator, A₀, B₀, A₁, and B₁ are linear operators, theoperator E that maps (u,v)

(A₀(u)⊕B₀(v), A₁(u)⊕B₁(v)) is invertible with respect to u, and σ₀ andσ₁ are state variables for providing redundancy to the obfuscatedrepresentations. The operators ⊕ and

could be a bitwise XOR operation. Alternatively, the operators couldarithmetic additions defined on a given domain.

It is noted that there may be domains W, Σ and Z defined such thatX₀,Y₀, X₁, and Y₁ are elements of Z; w₀ and w₁ are elements of W, and σ₀and σ₁ are elements of Σ, and A₀:W×W→Z, A₁:W×W→Z, B₀:Σ×Σ→Z, B₁:Σ×Σ→Z.Operator ⊕ is defined on Z, operator

is defined on W, and an operator Δ is defined on Σ. The operators A₀,B₀, A₁, and B₁ are linear operators. This means that, for example, A₀(w₀

w₁)=A₀(w₀)⊕A₀(w₁) for all w₀ and w₁ in W; A(w₀

w₁)=A₁(w₀)⊕A₁(w₁) for all w₀ and w₁ in W; B₀(σ₀Δσ₁)=B₀(σ₀)⊕B₀(σ₁); andB₁(σ₀Δσ₁)=B₁(σ₀)⊕B₁(σ₁)

The operation ⊕ is commutative (that is, z₁⊕z₂=z₂⊕z₁ for all z₁, z₂εZ)and associative, that is, (z₁⊕z₂)⊕z₃=z₁⊕(z₂⊕z₃) for all z₁, z₂, z₃εΣ.

The mappings A₀, A₁ from W to Z are such that for all w₀, w₁εW and i=0,1,

A _(i)(w ₀ Δw ₁)=A _(i)(w ₀)⊕A _(i)(w ₁)

The mappings B₀, B₁ from Σ to Z are such that for all σ₀, σ₁εΣ and i=0,1,

B _(i)(σ₀

σ₁)=B _(i)(σ₀)⊕B _(i)(σ₁).

Finally, it should be feasible to determine wεW from A₀(w)⊕B₀ (σ) andA₁(w)⊕B₁(σ). That is, if w, w′εW and σ, σ′εΣ are such thatA_(i)(w)⊕B_(i)(σ)=A_(i)(w′)⊕B_(i)(σ′) for i=1, 2, then w=w′. Forexample, the mapping E:W×Σ→Z×Z with E:(w,σ)

(A₀(w)⊕B₀ (σ), A₁(w)⊕B₁(σ)) is invertible. In general, from given X, YεZand σεΣ, it should be possible to obtain w.

Now, a specific example will be discussed to illustrate this principle.Note that the selected sets and operations may be chosen differently andin a more complex way to obfuscate the data values better. In thisexample, W={0,1}³, Σ={0,1}², and Z={0,1}². In other words, W is the setof all three-bit values, E is the set of all two-bit values, and Z isthe set of all two-bit values. The operators ⊕,

, and Δ are the bitwise XOR operators on their respective domains. Thelinear operators of this example are defined as follows on theirrespective domains:

A ₀(w ₁ ,w ₂ ,w ₃)=(w ₁ ,w ₃)

B ₀(σ₁,σ₂)=(0,σ₁)

A ₁(w ₁ ,w ₂ ,w ₃)=(0,w ₂)

B ₁(σ₁,σ₂)=(σ₁,0).

The obfuscated representation (X,Y)=((x₁, x₂), (y₁, y₂)) of a valuew=(w₁, w₂, w₃) with state parameter σ=(σ₁, σ₂) can then be computed asfollows:

X=(x ₁ ,x ₂)=A ₀(w ₁ ,w ₂ ,w ₃)+B ₀(σ₁,σ₂)=(w ₁ ,w ₃)+(0,σ₁)=(w ₁+0,w₃+σ₁)=(w ₁ ,w ₃+σ₁);

Y=(y ₁ ,y ₂)=A ₁(w ₁ ,w ₂ ,w ₃)+B ₁(σ₁,σ₂)=(0,w ₂)+(σ₁,0)=(0+σ₁ ,w₂+0)=(σ₁ ,w ₂).

Note that, as needed to de-obfuscate the data, each value of ((x₁, x₂),(y₁, y₂)) uniquely defines a value of (w₁, w₂, w₃), because from anygiven ((x₁, x₂), (y₁, y₂)) and (σ₁, σ₂), it is possible to uniquelydetermine (w₁, w₂, w₃), because A₁(w₁, w₂, w₃)+B₁(σ₁, σ₂)=(σ₁, x₂) andA₀(x₁, x₂, x₃)+B₀(σ₁, σ₂)=(x₁, σ₁+x₂).

In this specific example, the value of (σ₁, σ₂) is not uniquely definedby a value of ((x₁, x₂), (y₁, y₂)). However, it is not necessary to beable to recover the value of (σ₁, σ₂), because the data of interest isembodied by (w₁, w₂, w₃).

Another simplified example is presented in the following. In this case,W, Σ, Z are equal to the set of positive real numbers. Operators Δ and⊕, are the real multiplication, and operator

is the real addition. Moreover, the linear operators are selected asfollows: A₀(w)=w, A₁(w)=w², B₀ (σ)=B₁ (σ)=e^(σ). In this case also, wcan be recovered from given (X,Y) and σ. Indeed, from A₀(w)⊕B₀(σ)=we^(σ)and A₁(w)⊕B₁ (σ)=w² e^(σ), w can be obtained by performing a division.

In the following, the operator is indicated by ⊕ on all domains W, Σ andZ. However, it should be kept in mind that in principle, the operatorson W, Σ and Z can all be different operators. Alternatively, for exampleif W=Σ=Z, the same operator may be used on each domain.

In a specific example, w₀, σ₀, X₀, Y₀, w₁, σ₁, X₁, and Y₁ all are datavalues having the same number of bits. For instance, w₀, σ₀, X₀,Y₀, w₁,σ₁, X₁, and Y₁ may have 8 bits, or may have a number of bits which ismultiple of 2, in order to implement the system in a more efficient way.

In a specific example, at least one of A₀, B₀, A₁, and B₁ is aninvertible linear operator. In a more specific example, each of A₀, B₀,A₁, and B₁ is an invertible linear operator.

The system may comprise a data input unit 100 for determining a firstinput data value w₀ and a second input data value w₁. For example, theinput unit 100 is configured to receive the first input data value w₀and the second input data value w₁ via a communications subsystem of thedevice. Alternatively, the input unit 100 may be configured to receivethe input data values from a memory, which may be an internal memory oran external memory.

For example, the obtaining means may comprise an obfuscating means 101configured to receive the first data value w₀ and the second data valuew₁ as input values from data input unit 100, and generate the firstobfuscated representation (X₀,Y₀) based on the first input data value w₀and the second obfuscated representation (X₁,Y₁) based on the secondinput data value w₁. For example, a relationship between obfuscatedrepresentations and data values may be pre-computed and stored in alook-up table. Optionally, the obfuscating means 101 comprises a stategenerator for generating a value of the state variable σ₀ and/or a valueof the state variable σ₁. These values may be generated, for example,randomly or pseudo-randomly. For example, these values may depend on w₀and w₁, respectively. The obfuscating means 101 may be configured togenerate the first obfuscated representation (X₀,Y₀) based on the firstdata value w₀ and the state variable σ₀, and to generate the secondobfuscated representation (X₁,Y₁) based on the second data value w₁ andthe state variable σ₁. In this case, for example, a relationship betweenobfuscated representations and pairs of data values and state values maybe pre-computed and stored in a look-up table.

Alternatively, the obtaining means is configured to obtain the firstobfuscated representation (X₀,Y₀) and the second obfuscatedrepresentation (X₁,Y₁) in a different way. For example, these values maybe received from an external source, or may be the result ofcomputations on obfuscated representations of other data.

The system further comprises a determining means 102. The determiningmeans 102 is configured to determine the obfuscated representation (X₂,Y₂) of a data value w₂, wherein w₂=w₀⊕w₁. More specifically, thedetermining means 102 computes:

x ₂ =X ₀ ⊕X ₁

Y ₂ =Y ₀ ⊕Y ₁.

In a particular example, these operations ⊕ are computed in the clear.For example, in case ⊕ is the XOR operation, that operation may beperformed using a corresponding XOR machine instruction of a processorof a device on which the system is implemented.

Due to a commutative and associative properties of the operator ⊕ andthe linearity of the several operators, it holds that:

X ₂ =X ₀ ⊕X ₁ =A ₀(w ₀)⊕B ₀(σ₀)⊕A ₀(w ₁)⊕B ₀(σ₁)=A ₀(w ₀)⊕A ₀(w ₁)⊕B₀(σ₀)⊕B ₀(σ₁)=A ₀(w ₀ ⊕w ₁)⊕B ₀(σ₀⊕σ₁)

Y ₂ =Y ₀ ⊕Y ₁ =A ₁(w ₀)⊕B ₁(σ₀)⊕A ₁(w ₁)⊕B ₁(σ₁)=A ₁(w ₀)⊕A ₁(w ₁)⊕B₁(σ₀)⊕B ₁(σ₁)=A ₁(w ₀ ⊕w ₁)⊕B ₁(σ₀⊕σ₁)

In view of this, (X₂, Y₂) is the obfuscated representation of (w₀ ⊕w₁,σ₀ ⊕σ₁). As it was defined before, w₂=w₀⊕w₁. When it is defined thatσ₂=σ₀ ⊕σ₁, we have that (X₂, Y₂) is the obfuscated representation of w₂,with σ₂ as the state variable.

It is noted that the obfuscating means 101 may be implemented by meansof look-up tables. For example, the obfuscating means 101 may beimplemented by a single look-up table. Optionally, these look-up tablesmay be obfuscated further by encoding the inputs and outputs of thelook-up tables using techniques known from e.g. Chow et al.

The obfuscated value (X₂, Y₂) may optionally be subject to furtherobfuscated processing, for example by performing additional ⊕operations, or other kinds of operations, before being de-obfuscated.When it is time to recover the data value represented by any obtainedobfuscated value, the obfuscated value may be provided to de-obfuscatingmeans for de-obfuscating. Accordingly, the system may further comprisede-obfuscating means 103. The de-obfuscating means 103 may receive theobfuscated representation (X₂, Y₂) of the data value w₂ and mayde-obfuscate the obfuscated representation (X₂, Y₂) of the data value w₂in order to obtain w₂ by solving the above-mentioned system of equation:

X ₂ =A ₀(w ₂)⊕B ₀(σ₂)

Y ₂ =A ₁(w ₂)⊕B ₁(σ₂),

wherein σ₂ is a state variable that provides redundancy to theobfuscated representation (X₂, Y₂)

The system may further comprise an output unit configured to receive thecomputed value of w₂ from the de-obfuscating means 103 and forward thevalue of w₂ to other components of the system (not shown), and/or storethe value of w₂ in a memory. For example, the output unit may beconfigured to display a visualization of the data w₂ on a display deviceand/or reproduce the data on an audio device.

The input means 100 and/or the obfuscating means 101 may be part of afirst device, and the determining means 102 may be part of a seconddevice, wherein the first device is a different device from the seconddevice. For instance, the input means 100 may receive the first inputdata value w₀ and the second input data value w₁ from memory or from anexternal source and provide them to the obfuscating means 101, whichcalculates the first obfuscated representation (X₀,Y₀) of the firstinput data value w₀ and the second obfuscated representation (X₁,Y₁) ofthe second input data value w₁. The first device may comprisetransmitter means. The transmitter means may transmit the obfuscatedrepresentation (X₀,Y₀) of the first input data value w₀ and the secondobfuscated representation (X₁,Y₁) of the second input data value w₁ tothe second device. The second device may comprise receiving means. Thereceiving means may receive the obfuscated representation (X₀,Y₀) of thefirst input data value w₀ and the second obfuscated representation(X₁,Y₁) of the second input data value w₁ from the first device, andprovide them to the determining means 102. The determining means 102 maydetermine the obfuscated representation (X₂, Y₂) of a data value w₂,wherein w₂=w₀⊕w₁, in the way set forth hereinabove. The de-obfuscatingmeans 103 (and the optional output unit) may be part of the firstdevice, or they may be part of the second device, or they may be part ofa further, third device. Accordingly, the second device may comprise atransmitter configured to transmit the obfuscated representation (X₂,Y₂) to the first or third device.

FIG. 2 illustrates a method of security performing an operation usingobfuscated representations of input data values.

The method comprises a step 201 of obfuscating a first input data valuew₀ and a second input data value w₁ to generate a first obfuscatedrepresentation (X₀,Y₀) of the first input data value w₀ and a secondobfuscated representation (X₁,Y₁) of the second input data value w₁. Thefirst obfuscated representation (X₀,Y₀) of the first input data value w₀and/or the second obfuscated representation (X₁,Y₁) of the second inputdata value w₁ may be generated by computing the following equations:

X ₀ =A ₀(w ₀)⊕B ₀(σ₀)

Y ₀ =A ₁(w ₀)⊕B ₁(σ₀)

X ₁ =A ₀(w ₁)⊕B ₀(σ₁)

Y ₁ =A ₁(w ₁)⊕B ₁(σ₁)

The first obfuscated representation (X₀,Y₀) of the first input datavalue w₀ and/or the second obfuscated representation (X₁,Y₁) of thesecond input data value w₁ may be generated by looking up in a look-uptable. The look-up table may define a relation between an obfuscatedrepresentation (X₃, Y₃) of a data value w₃ and the obfuscatedrepresentation (X₀,Y₀) of the first input data value w₀.

The method may further comprise a step 202 of determining an obfuscatedrepresentation (X₂, Y₂) of a third data w₂, wherein w₂=w₀⊕w₁. Theobfuscated representation (X₂, Y₂) of the third data w₂ may bedetermined by performing the following operation:

X ₂ =X ₀ ⊕X ₁

Y ₂ =Y ₀ ⊕Y ₁

Wherein (X₀,Y₀) may be the first obfuscated representation of the firstinput data value w₀ and (X₁,Y₁) may be the second obfuscatedrepresentation of the second input data value w₁.

The method may further comprise a step 203 of sending the determinedobfuscated representation (X₂, Y₂) of the third data w₂ for furtherprocessing (for instance, for performing a new operation), or forstoring in a look-up table, wherein the look-up table may be used laterfor generating obfuscated representations.

FIG. 3 illustrates a method in which obfuscated data is de-obfuscatedafter performing an operation using obfuscated representations of inputdata values.

The method may comprise a step 301 of receiving a first obfuscatedrepresentation (X₀,Y₀) of the first input data value w₀ and a secondobfuscated representation (X₁,Y₁) of the second input data value w₁. Thefirst obfuscated representation (X₀,Y₀) of the first input data value w₀and/or the second obfuscated representation (X₁,Y₁) of the second inputdata value w₁ may have been generated by computing the followingequations:

X ₀ =A ₀(w ₀)⊕B ₀(σ₀)

Y ₀ =A ₁(w ₀)⊕B ₁(σ₀)

X ₁ =A ₀(w ₁)⊕B ₀(σ₁)

Y ₁ =A ₁(w ₁)⊕B ₁(σ₁)

The first obfuscated representation (X₀,Y₀) of the first input datavalue w₀ and/or the second obfuscated representation (X₁,Y₁) of thesecond input data value w₁ may have been generated using a look-uptable. The look-up table may define a relation between an obfuscatedrepresentation (X₃, Y₃) of a data value w₃ and the obfuscatedrepresentation (X₀,Y₀) of the first input data value w₀.

The method may further comprise a step 302 of determining an obfuscatedrepresentation (X₂, Y₂) of a third data w₂, wherein w₂=w₀⊕w₁. Theobfuscated representation (X₂, Y₂) of the third data w₂ may bedetermined by performing the following operation:

X ₂ =X ₀ ⊕X ₁

Y ₂ =Y ₀ ⊕Y ₁

Wherein (X₀,Y₀) may be the first obfuscated representation of the firstinput data value w₀ and (X₁,Y₁) may be the second obfuscatedrepresentation of the second input data value w₁.

The method may further comprise a step 303 of de-obfuscating thedetermined obfuscated representation (X₂, Y₂) of the third data w₂ inorder to obtain w₂. The de-obfuscating may be performed by solving thesystem of equations:

X ₂ =A ₀(w ₂)⊕B ₀(σ₂)

Y ₂ =A ₁(w ₂)⊕B ₁(σ₂),

wherein ⊕ is an operator, A₀, B₀, A₁, and B₁ are operators that arelinear with respect to the operator ⊕, and the operator E that maps(u,v) to (A₀(u)⊕B₀ (v), A₁(u)⊕B₁(v)) is invertible with respect to u andσ₂ is a state variable for providing redundancy to the obfuscatedrepresentation.

The de-obfuscated value w₂ may be sent to another unit for furtherprocessing (for instance, for performing a new operation, or fordisplaying purposes), or for storing in a look-up table, wherein thelook-up table may be used later for de-obfuscating obfuscatedrepresentations.

It will be appreciated that the invention also applies to computerprograms, particularly computer programs on or in a carrier, adapted toput the invention into practice. The program may be in the form of asource code, an object code, a code intermediate source and an objectcode such as in a partially compiled form, or in any other form suitablefor use in the implementation of the method according to the invention.It will also be appreciated that such a program may have many differentarchitectural designs. For example, a program code implementing thefunctionality of the method or system according to the invention may besub-divided into one or more sub-routines. Many different ways ofdistributing the functionality among these sub-routines will be apparentto the skilled person. The sub-routines may be stored together in oneexecutable file to form a self-contained program. Such an executablefile may comprise computer-executable instructions, for example,processor instructions and/or interpreter instructions (e.g. Javainterpreter instructions). Alternatively, one or more or all of thesub-routines may be stored in at least one external library file andlinked with a main program either statically or dynamically, e.g. atrun-time. The main program contains at least one call to at least one ofthe sub-routines. The sub-routines may also comprise calls to eachother. An embodiment relating to a computer program product comprisescomputer-executable instructions corresponding to each processing stepof at least one of the methods set forth herein. These instructions maybe sub-divided into sub-routines and/or stored in one or more files thatmay be linked statically or dynamically. Another embodiment relating toa computer program product comprises computer-executable instructionscorresponding to each means of at least one of the systems and/orproducts set forth herein. These instructions may be sub-divided intosub-routines and/or stored in one or more files that may be linkedstatically or dynamically.

The carrier of a computer program may be any entity or device capable ofcarrying the program. For example, the carrier may include a storagemedium, such as a ROM, for example, a CD ROM or a semiconductor ROM, ora magnetic recording medium, for example, a flash drive or a hard disk.Furthermore, the carrier may be a transmissible carrier such as anelectric or optical signal, which may be conveyed via electric oroptical cable or by radio or other means. When the program is embodiedin such a signal, the carrier may be constituted by such a cable orother device or means. Alternatively, the carrier may be an integratedcircuit in which the program is embedded, the integrated circuit beingadapted to perform, or used in the performance of, the relevant method.

It should be noted that the above-mentioned embodiments illustraterather than limit the invention, and that those skilled in the art willbe able to design many alternative embodiments without departing fromthe scope of the appended claims. In the claims, any reference signsplaced between parentheses shall not be construed as limiting the claim.Use of the verb “comprise” and its conjugations does not exclude thepresence of elements or steps other than those stated in a claim. Thearticle “a” or “an” preceding an element does not exclude the presenceof a plurality of such elements. The invention may be implemented bymeans of hardware comprising several distinct elements, and by means ofa suitably programmed computer. In the device claim enumerating severalmeans, several of these means may be embodied by one and the same itemof hardware. The mere fact that certain measures are recited in mutuallydifferent dependent claims does not indicate that a combination of thesemeasures cannot be used to advantage.

1. A system for performing an operation on data using obfuscatedrepresentations of the data, comprising: obtaining means configured toobtain a first obfuscated representation (X₀,Y₀) of a first data valuew₀ and obtain a second obfuscated representation (X₁,Y₁) of a seconddata value w₁, wherein the following relations hold:X ₀ =A ₀(w ₀)⊕B ₀(σ₀)Y ₀ =A ₁(w ₀)⊕B ₁(σ₀)X ₁ =A ₀(w ₁)⊕B ₀(σ₁)Y ₁ =A ₁(w ₁)⊕B ₁(σ₁) wherein ⊕ is an operator, A₀ and A₁ are linearoperators dependent on a data value (w₀, w₁), B₀ and B₁ are linearoperators dependent on a state variable (σ₀, σ₁), and an operator E thatmaps (u,v) to A₀(u)⊕B₀(v),A₁(u)⊕B₁(v)), is invertible with respect to u,and σ₀ and σ₁ are state variables that provide redundancy to theobfuscated representations; and determining means configured todetermine an obfuscated representation X₂,Y₂) of a third data value w₂,wherein w₂=w₀

w₁, wherein

is an operator, by performing the following operations on the obfuscatedrepresentation (X₀,Y₀) of the first data value w₀ and the obfuscatedrepresentation (X₁,Y₁) of the second data value w₁:X ₂ =X ₀ ⊕X ₁
 2. The system of claim 1, further comprising obfuscatingmeans configured to generate the first obfuscated representation (X₀,Y₀)based on the first data value w₀ and the second obfuscatedrepresentation (X₁,Y₁) based on the second data value w₁.
 3. The systemof claim 1, further comprising: de-obfuscating means configured tode-obfuscate the obfuscated representation (X₂,Y₂) of the third datavalue w₂ in order to obtain the third data value w₂ using the system ofequations:X ₂ =A ₀(w ₂)⊕B ₀(σ₂)Y ₂ =A ₁(w ₂)⊕B ₁(σ₂) wherein σ₂ is a state variable for providingredundancy to the obfuscated representation (X₂,Y₂) of the third datavalue w₂.
 4. The system of claim 2, further comprising a state generatorfor generating a value of the state variable σ₀ and/or a value of thestate variable σ₁ randomly or pseudo-randomly, and wherein theobfuscating means is configured to generate the first obfuscatedrepresentation (X₀,Y₀) based on the first data value w₀ and the statevariable σ₀, and to generate the second obfuscated representation(X₁,Y₁) based on the second data value w₁ and the state variable σ₁. 5.The system of claim 2, wherein the obfuscating means is configured tolook up the first obfuscated representation (X₀,Y₀) and the secondobfuscated representation (X₁,Y₁) in a look-up table, and/or thede-obfuscating means is configured to look-up the third data value w₂ ina look-up table.
 6. The system of claim 3, wherein the obfuscating meansand the de-obfuscating means are part of a first device and thedetermining means are part of a second device, wherein the first devicefurther comprises a transmitting means and a receiving means, whereinthe second device further comprises a transmitting means and a receivingmeans, wherein the transmitting means of the first device is configuredto transmit the first obfuscated representation (X₀/Y₀) and the secondobfuscated representation (X₁,Y₁) to the receiving means of the seconddevice, and wherein the transmitting means of the second device isconfigured to transmit the obfuscated representation (X₂,Y₂) to thereceiving means of the first device.
 7. The system of claim 1, whereinthe determining means is configured to perform at least one of thecomputation of X₂ from X₀ and X₁ and the computation of Y₂ from Y₀ andY₁ in the clear.
 8. The system of claim 1, wherein w₀, w₁, w₂, σ₀, σ₁,σ₂, X₀, X₁, X₂, Y₀, Y₁, and Y₂ are values having a same number of bits.9. The system of claim 1, wherein at least one of the operators A₀, B₀,A₁, and B₁ is an invertible operator.
 10. The system of claim 9, whereineach one of the operators A₀, B₀, A₁, and B₁ is an invertible operator.11. The system of claim 1, wherein the operator ⊕ is a bitwise XORoperation and the operator

is a bitwise XOR operator.
 12. The system of claim 11, wherein thebitwise XOR operation is performed by at least one XOR machineinstruction.
 13. A method for performing an operation on data usingobfuscated representations of the data, comprising the steps of:obtaining a first obfuscated representation (X₀,Y₀) of a first datavalue w₀ and obtaining a second obfuscated representation (X₁,Y₁) of asecond data value w₁, wherein the following relations hold:X ₀ =A ₀(w ₀)⊕B ₀(σ₀)Y ₀ =A ₁(w ₀)⊕B ₁(σ₀)X ₁ =A ₀(w ₁)⊕B ₀(σ₁)Y ₁ =A ₁(w ₁)⊕B ₁(σ₁) wherein ⊕ is an operator, A₀ and A₁ are linearoperators dependent on a data value (w₀, w₁), B₀ and B₁ are linearoperators dependent on a state variable (σ₀, σ₁) and an operator E thatmaps (u,v) to (A₀(u)⊕B₀(v),A₁(u)⊕B₁(v)) is invertible with respect to u,and σ₀ and σ₁ are state variables for providing redundancy to theobfuscated representations; and determining an obfuscated representation(X₂,Y₂) of a third data w₂, wherein w₂=w₀

w₁, wherein

is an operator, by performing the following operations on the obfuscatedrepresentation (X₀,Y₀) of the first data value w₀ and the obfuscatedrepresentation (X₁,Y₁) of the second data value w₁:X ₂ =X ₀ ⊕X ₁Y ₂ =Y ₀ ⊕Y ₁.
 14. A computer program product comprising instructionsfor causing a processor system to perform the method of claim 13.